Managing Users and Rights (Task Map)

In Trusted Extensions, you assume the Security Administrator role to administer users, authorizations,
rights, and roles. The following task map describes common tasks that you perform
for users who operate in a labeled environment.

Task

Description

For Instructions

Modify a user's label
range.

Modifies the labels at which a user can work. Modifications can restrict or
extend the range that the label_encodings file permits.

How to Modify a User's Label Range

You might want to extend a user's label range to give the
user read access to an administrative application. For example, a user who can
log in to the global zone could then view a list of the
systems that run at a particular label. The user could view, but not
change the contents.

Alternatively, you might want to restrict the user's label range. For example, a
guest user might be limited to one label.

Before You Begin

You must be in the Security Administrator role in the global zone.

Do one of the following:

To extend the user's label range, assign a higher clearance.

# usermod -K min_label=INTERNAL -K clearance=ADMIN_HIGH jdoe

You can also extend the user's label range by lowering the minimum
label.

To restrict the label range to one label, make the clearance equal to
the minimum label.

# usermod -K min_label=INTERNAL -K clearance=INTERNAL jdoe

How to Create a Rights Profile for Convenient Authorizations

Where site security policy permits, you might want to create a rights profile
that contains authorizations for users who can perform tasks that require authorization. To
enable every user of a particular system to be authorized, see How to Modify policy.conf Defaults.

Before You Begin

You must be in the Security Administrator role in the global zone.

Create a rights profile that contains one or more of the following authorizations.

solaris.device.allocate – Authorizes a user to allocate a peripheral device, such as a microphone or CD-ROM.

By default, Oracle Solaris users can read and write to a CD-ROM. However, in Trusted Extensions, only users who can allocate a device can access the CD-ROM drive. To allocate the drive for use requires authorization. Therefore, to read and write to a CD-ROM in Trusted Extensions, a user needs the Allocate Device authorization.

solaris.label.file.downgrade – Authorizes a user to lower the security level of a file

solaris.label.file.upgrade – Authorizes a user to heighten the security level of a file.

solaris.label.win.downgrade – Authorizes a user to select information from a higher-level file and place that information in a lower-level file.

solaris.label.win.noview – Authorizes a user to move information without viewing the information that is being moved.

solaris.label.win.upgrade – Authorizes a user to select information from a lower-level file and place that information in a higher-level file.

solaris.login.remote – Authorizes a user to remotely log in.

solaris.print.ps – Authorizes a user to print PostScript files.

solaris.print.nobanner - Authorizes a user to print hard copy without a banner page.

solaris.print.unlabeled – Authorizes a user to print hard copy that does not display labels.

solaris.system.shutdown – Authorizes a user to shut down the system and to shut down a zone.

Tip - You can create a rights profile for an application or a class
of applications that have desktop icons. Then, add the Trusted Desktop Applets rights profile
as a supplementary rights profile for desktop access.

Assign the user the Trusted Desktop Applets and Stop rights profiles.

# usermod -P "Trusted Desktop Applets,Stop" username

This user can use the trusted desktop, but cannot launch a terminal window,
act as the Console User, or have any of the rights contained
in the Basic Solaris User rights profile.

Example 11-5 Enabling a Desktop User to Open a Terminal Window

In this example, the administrator enables a desktop user to open a terminal
window. The administrator has already created the Desktop Applets rights profile for Oracle
Solaris desktop users and the Trusted Desktop Applets rights profile for Trusted Extensions
desktop users in the LDAP repository.

First, the administrator creates the Terminal Window rights profile and verifies its contents.

Then, the administrator assigns this rights profile and the All rights profile to
desktop users who require terminal windows to perform their tasks. Without the All
rights profile, users would not be able to run UNIX commands that do
not require privilege, such as ls and cat.

By removing the proc_info privilege, you prevent the user from examining any processes
that do not originate from the user. By removing the proc_session privilege, you
prevent the user from examining any processes outside the user's current session. By
removing the file_link_any privilege, you prevent the user from making hard links to files
that are not owned by the user.

To restrict the privileges of all users on a system, see Example 11-2.

How to Prevent Account Locking for Users

Perform this procedure for all users who can assume a role.

Before You Begin

You must be in the Security Administrator role in the global zone.

Turn off account locking for a local user.

# usermod -K lock_after_retries=no jdoe

To turn off account locking for an LDAP user, specify the LDAP
repository.

# usermod -S ldap -K lock_after_retries=no jdoe

How to Enable a User to Change the Security Level of Data

A regular user or a role can be authorized to change the
security level, or labels, of files and directories or of selected text. The
user or role, in addition to having the authorization, must be configured to
work at more than one label. And, the labeled zones must be configured
to permit relabeling. For the procedure, see How to Enable Files to Be Relabeled From a Labeled Zone.

Caution - Changing the security level of data is a privileged operation. This task is
for trustworthy users only.

How to Delete a User Account From a Trusted Extensions System

When a user is removed from the system, you must ensure that
the user's home directory and any objects that the user owns are also
deleted. As an alternative to deleting objects that are owned by the user,
you might change the ownership of these objects to a valid user.

You must also ensure that all batch jobs that are associated with
the user are also deleted. No objects or processes belonging to a removed
user can remain on the system.

Before You Begin

You must be in the System Administrator role in the global zone.

Archive the user's home directory at every label.

Archive the user's mail files at every label.

Delete the user account.

# userdel -r jdoe

In every labeled zone, manually delete the user's directories and mail files.

Note - You are responsible for finding and deleting the user's temporary files at all
labels, such as files in /tmp directories.